fix: refactor path utility functions to enhance security against path traversal attacks

apps/app/src/server/routes/apiv3/g2g-transfer.ts

@@ -22,7 +22,7 @@ import { TransferKey } from '~/utils/vo/transfer-key';
 import type Crowi from '../../crowi';
 import { apiV3FormValidator } from '../../middlewares/apiv3-form-validator';
 import { Attachment } from '../../models/attachment';
-import { isPathWithinBase } from '../../util/path-utils';
+import { isPathWithinBase } from '../../util/safe-path-utils';
 import type { ApiV3Response } from './interfaces/apiv3-response';
 
 interface AuthorizedRequest extends Request {

apps/app/src/server/service/growi-bridge/index.ts

@@ -7,7 +7,7 @@ import unzipStream, { type Entry } from 'unzip-stream';
 import type Crowi from '~/server/crowi';
 import loggerFactory from '~/utils/logger';
 
-import { assertFileNameSafeForBaseDir } from '../../util/path-utils';
+import { assertFileNameSafeForBaseDir } from '../../util/safe-path-utils';
 import type { ZipFileStat } from '../interfaces/export';
 import { tapStreamDataByPromise } from './unzip-stream-utils';
 

apps/app/src/server/util/path-utils.spec.ts → apps/app/src/server/util/safe-path-utils.spec.ts

@@ -4,7 +4,7 @@ import {
   assertFileNameSafeForBaseDir,
   isFileNameSafeForBaseDir,
   isPathWithinBase,
-} from './path-utils';
+} from './safe-path-utils';
 
 describe('path-utils', () => {
   describe('isPathWithinBase', () => {